HP VPN Firewall Appliances VPN Command Reference
87
Usage guidelines
In terms of security and necessary calculation time, the following four groups are in the descending order:
2048-bit Diffie-Hellman group (dh-group14), 1536-bit Diffie-Hellman group (dh-group5), 1024-bit
Diffie-Hellman group (dh-group2) and 768-bit Diffie-Hellman group (dh-group1).
This command allows IPsec to perform an additional key exchange process during the negotiation phase
2, providing an additional level of security.
The local Diffie-Hellman group must be the same as that of the peer.
This command can be used only when the SAs are to be set up through IKE negotiation.
Related commands
• ipsec policy-template
• ipsec policy (system view)
• ipsec profile (system view)
Examples
# Enable and configure PFS for IPsec policy policy1.
<Sysname> system-view
[Sysname] ipsec policy policy1 200 isakmp
[Sysname-ipsec-policy-isakmp-policy1-200] pfs dh-group1
policy enable
Use policy enable to enable the IPsec policy.
Use undo policy enable to disable the IPsec policy.
Syntax
policy enable
undo policy enable
Default
The IPsec policy is enabled.
Views
IPsec policy view, IPsec policy template view
Default command level
2: System level
Usage guidelines
The command is not applicable to manual IPsec policies.
If the IPsec policy is not enabled for the IKE peer, the peer cannot take part in the IKE negotiation.
Examples
# Enable the IPsec policy with the name policy1 and sequence number 100.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] policy enable